The problem with that is that for example in Sweden, KYC is very strict (they have higher standards than other EU countries), they will request KYC by sending a email with a link to the KYC form. The only way to access the KYC form is via the link in the email.
So teaching "Do never click on link in any email message" will just get customer's accounts closed. (Its possible to visit the branch physically to give KYC information too, but due to covid-19 the physical branches are currently closed). That’s why I suggest some simple scheme with a QR code making it easier to validate atleast on computer. However on phone it a bit more complicated, as you have no way to know if it’s a genuine popup from phone, or a fake popup shown on a web page inside. The idea is that you should be able to teach users "Scan QR, and only if all details come out OK, then you can click links". Its kind of a difficult problem since they will DKIM sign with a MAIL FROM: frauds...@somerottenwebhost.ru and then in MIME From: write "k...@yourbank.com" so mail will succeed DKIM validation and go through, but in client "k...@yourbank.com" will be visible. If a QR code is used that exposes the DKIM signature, then it might prompt users to verify if they just can open the app and scan, in any webmail, in any client, everywhere. -----Ursprungligt meddelande----- Från: Jaroslaw Rafa via mailop <mailop@mailop.org> Skickat: den 14 december 2021 10:02 Till: mailop@mailop.org Ämne: Re: [mailop] Idea for new internet standard: DKIM-QR Dnia 14.12.2021 o godz. 08:30:11 Sebastian Nielsen via mailop pisze: > > The idea here is that a end-user should be able to scan'n'verify a > email by QR-code and not have to worry about phishing. [...] > > Its about excluding the client and the receiving server from the equation. I think you are missing a very important point. If someone actually is so much aware of possible phishing that he/she is willing to take extra steps (like scanning the QR code) to verify that the email is not a phishing, then he/she has already taken these steps (for example, checking the exact sender address, checking links in the message, and before all, being very suspicious to all messages that are *unexpected* - which is probably the most effective safeguard against phishing). For these people, your idea is pretty much redundant, as they already check their emails for possible phishing. For those that are not aware enough, it is much better to teach them some simple rules like "NEVER click on any links in an email message" - as for example banks do to their customers - than to teach them about DKIM and using some app to verify it. In my opinion it is too much to expect from people that they will scan the code and compare details of the message headers with what the app shows. It's too complicated, too much effort needed. And you still haven't addressed the case when someone receives their mail on their phone. Do they need another phone to scan the QR code? And reading the mail on the phone is just the case when one can easier fall a victim of a phishing message than on a computer, because of obvious lacks of the phone's UI. It's not so easy to check the real sender of the email, headers, links etc. on a phone while you can quite easily do that on a computer. Currently the majority of successful phishing attacks is via the phone. And more and more often, these attacks use SMS messages rather than email. Email phishing starts to become a bit "outdated", so I think it's a valid question, does it have now any sense to invent a new methods of protection against email phishing. So my opinion is that your idea does not increase protection level against phishing. It's mostly superfluous for "phishing-aware" users and when reading mail on a computer, too complicated for "not-phishing-aware" users and hard (if not impossible) to use when reading mail on a phone. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
